Viewing the contents of a reference set

View information about the data elements in the reference set, such as the domain assignment, the expiry on the data, and when the element was last seen in your network.

Procedure

  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. In the System Configuration section, click Reference Set Management.
  3. Select a reference set and click View Contents.
  4. Click the Content tab to view information about each data element.
    Tip: Use the search field to filter for all elements that match a keyword. You can't search for data in the Time To Live column.
    Learn more about the data elements:
    The following table describes the information that is shown for each data element in the reference set.
    Table 1. Information about the reference set data elements
    Parameter Description
    Domain Domain-specific reference data can be viewed by tenant users who have access to the domain, MSSP Administrators, and users who do not have a tenant assignment. Users in all tenants can view shared reference data.
    Value The data element that is stored in the reference set. For example, the value might show user names or IP addresses.
    Origin Shows the user name when the data element is added manually, and the file name when the data was added by importing it from an external file. Shows the rule name when the data element is added in response to a rule.
    Time to Live The time that is remaining until this element is removed from the reference set.
    Date Last Seen The date and time that this element was last detected on your network.
  5. Click the References tab to view the rules that use the reference set in a rule test or in a rule response.
    Table 2. Content tab parameters
    Parameter Description
    Rule Name Name of the rule that is configured to use the reference set.
    Group The group that the rule belongs to.
    Category Shows if the rule is a custom rule or an anomaly detection rule.
    Type Shows event, flow, common, or offense to indicate the type of data that the rule is tested against.
    Enabled A rule must be enabled for the custom rule engine to evaluate it.
    Response The responses that are configured for this rule.
    Origin System indicates a default rule.

    Modified indicates that a default rule was customized.

    User indicates a user-created rule.
  6. To view or edit an associated rule, double-click the rule in the References list and complete the rule wizard.